<p dir="ltr">I'm doing work now involving namespaces....the necessity is real. I'll take a look early next week.</p>
<div class="gmail_quote">On Dec 20, 2013 10:34 PM, "Richard Guy Briggs" <<a href="mailto:rgb@redhat.com">rgb@redhat.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Log the namespace details of a task.<br>
---<br>
<br>
Does anyone have comments on this patch?<br>
<br>
I'm looking for guidance on which types of messages should have namespace<br>
information included. I've included too many, I suspect.<br>
<br>
I also wonder if displaying these inode numbers in hexadecimal makes more sense<br>
than decimal, since they are all based around 0xF0000000. These are all with<br>
reference to the proc filesystem, so a device number should not be necessary to<br>
qualify them.<br>
<br>
<br>
include/linux/audit.h | 1 +<br>
kernel/audit.c | 29 +++++++++++++++++++++++++++++<br>
kernel/audit_watch.c | 1 +<br>
kernel/auditfilter.c | 1 +<br>
kernel/auditsc.c | 5 +++++<br>
5 files changed, 37 insertions(+), 0 deletions(-)<br>
<br>
diff --git a/include/linux/audit.h b/include/linux/audit.h<br>
index 6976219..75fa602 100644<br>
--- a/include/linux/audit.h<br>
+++ b/include/linux/audit.h<br>
@@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch);<br>
struct filename;<br>
<br>
extern void audit_log_session_info(struct audit_buffer *ab);<br>
+extern void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct *tsk);<br>
<br>
#ifdef CONFIG_AUDITSYSCALL<br>
/* These are defined in auditsc.c */<br>
diff --git a/kernel/audit.c b/kernel/audit.c<br>
index dc03a30..b4c39a9 100644<br>
--- a/kernel/audit.c<br>
+++ b/kernel/audit.c<br>
@@ -62,7 +62,15 @@<br>
#endif<br>
#include <linux/freezer.h><br>
#include <linux/tty.h><br>
+#include <linux/nsproxy.h><br>
+#include <linux/utsname.h><br>
+#include <linux/ipc_namespace.h><br>
+#include "../fs/mount.h"<br>
+#include <linux/mount.h><br>
+#include <linux/mnt_namespace.h><br>
#include <linux/pid_namespace.h><br>
+#include <net/net_namespace.h><br>
+#include <linux/user_namespace.h><br>
#include <net/netns/generic.h><br>
<br>
#include "audit.h"<br>
@@ -292,6 +300,7 @@ static int audit_log_config_change(char *function_name, int new, int old,<br>
return rc;<br>
audit_log_format(ab, "%s=%d old=%d", function_name, new, old);<br>
audit_log_session_info(ab);<br>
+ audit_log_namespace_info(ab, current);<br>
rc = audit_log_task_context(ab);<br>
if (rc)<br>
allow_changes = 0; /* Something weird, deny request */<br>
@@ -657,6 +666,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)<br>
return rc;<br>
audit_log_format(*ab, "pid=%d uid=%u", task_tgid_vnr(current), uid);<br>
audit_log_session_info(*ab);<br>
+ audit_log_namespace_info(*ab, current);<br>
audit_log_task_context(*ab);<br>
<br>
return rc;<br>
@@ -689,6 +699,7 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature<br>
return;<br>
<br>
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);<br>
+ audit_log_namespace_info(ab, current);<br>
audit_log_format(ab, "feature=%s old=%d new=%d old_lock=%d new_lock=%d res=%d",<br>
audit_feature_names[which], !!old_feature, !!new_feature,<br>
!!old_lock, !!new_lock, res);<br>
@@ -1621,6 +1632,23 @@ void audit_log_session_info(struct audit_buffer *ab)<br>
audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);<br>
}<br>
<br>
+void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct *tsk)<br>
+{<br>
+ struct nsproxy *nsproxy;<br>
+<br>
+ rcu_read_lock();<br>
+ audit_log_format(ab, " pidns=%x", task_active_pid_ns(tsk)->proc_inum);<br>
+ nsproxy = task_nsproxy(tsk);<br>
+ if (nsproxy != NULL) {<br>
+ audit_log_format(ab, " usrns=%x", nsproxy->net_ns->user_ns->proc_inum);<br>
+ audit_log_format(ab, " utsns=%x", nsproxy->uts_ns->proc_inum);<br>
+ audit_log_format(ab, " ipcns=%x", nsproxy->ipc_ns->proc_inum);<br>
+ audit_log_format(ab, " mntns=%x", nsproxy->mnt_ns->proc_inum);<br>
+ audit_log_format(ab, " netns=%x", nsproxy->net_ns->proc_inum);<br>
+ }<br>
+ rcu_read_unlock();<br>
+}<br>
+<br>
void audit_log_key(struct audit_buffer *ab, char *key)<br>
{<br>
audit_log_format(ab, " key=");<br>
@@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char *operation, struct path *link)<br>
goto out;<br>
audit_log_format(ab, "op=%s", operation);<br>
audit_log_task_info(ab, current);<br>
+ audit_log_namespace_info(ab, current);<br>
audit_log_format(ab, " res=0");<br>
audit_log_end(ab);<br>
<br>
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c<br>
index 22831c4..2382a3e 100644<br>
--- a/kernel/audit_watch.c<br>
+++ b/kernel/audit_watch.c<br>
@@ -245,6 +245,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc<br>
audit_log_format(ab, "auid=%u ses=%u op=",<br>
from_kuid(&init_user_ns, audit_get_loginuid(current)),<br>
audit_get_sessionid(current));<br>
+ audit_log_namespace_info(ab, current);<br>
audit_log_string(ab, op);<br>
audit_log_format(ab, " path=");<br>
audit_log_untrustedstring(ab, w->path);<br>
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c<br>
index 14a78cc..9c4b004 100644<br>
--- a/kernel/auditfilter.c<br>
+++ b/kernel/auditfilter.c<br>
@@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re<br>
if (!ab)<br>
return;<br>
audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);<br>
+ audit_log_namespace_info(ab, current);<br>
audit_log_task_context(ab);<br>
audit_log_format(ab, " op=");<br>
audit_log_string(ab, action);<br>
diff --git a/kernel/auditsc.c b/kernel/auditsc.c<br>
index 10176cd..3c73a3b 100644<br>
--- a/kernel/auditsc.c<br>
+++ b/kernel/auditsc.c<br>
@@ -974,6 +974,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,<br>
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,<br>
from_kuid(&init_user_ns, auid),<br>
from_kuid(&init_user_ns, uid), sessionid);<br>
+ audit_log_namespace_info(ab, current);<br>
if (sid) {<br>
if (security_secid_to_secctx(sid, &ctx, &len)) {<br>
audit_log_format(ab, " obj=(none)");<br>
@@ -1302,6 +1303,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts<br>
context->name_count);<br>
<br>
audit_log_task_info(ab, tsk);<br>
+ audit_log_namespace_info(ab, current);<br>
audit_log_key(ab, context->filterkey);<br>
audit_log_end(ab);<br>
<br>
@@ -1987,6 +1989,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,<br>
current->pid, uid,<br>
oldloginuid, loginuid, oldsessionid, sessionid,<br>
!rc);<br>
+ audit_log_namespace_info(ab, current);<br>
audit_log_end(ab);<br>
}<br>
<br>
@@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr)<br>
if (unlikely(!ab))<br>
return;<br>
audit_log_task(ab);<br>
+ audit_log_namespace_info(ab, current);<br>
audit_log_format(ab, " sig=%ld", signr);<br>
audit_log_end(ab);<br>
}<br>
@@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code)<br>
if (unlikely(!ab))<br>
return;<br>
audit_log_task(ab);<br>
+ audit_log_namespace_info(ab, current);<br>
audit_log_format(ab, " sig=%ld", signr);<br>
audit_log_format(ab, " syscall=%ld", syscall);<br>
audit_log_format(ab, " compat=%d", is_compat_task());<br>
--<br>
1.7.1<br>
<br>
--<br>
Linux-audit mailing list<br>
<a href="mailto:Linux-audit@redhat.com">Linux-audit@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/linux-audit" target="_blank">https://www.redhat.com/mailman/listinfo/linux-audit</a><br>
</blockquote></div>